§ 252.204-7025 — Notice of Cybersecurity Maturity Model Certification Level Requirements.

48 CFR § 252.204-7025

• Title: Title 48: Federal Acquisition Regulations System
• Part: Part 252: Solicitation Provisions and Contract Clauses
• Source: eCFR (current through Apr 2, 2026)

Text

252.204-7025 Notice of Cybersecurity Maturity Model Certification Level Requirements.

As prescribed in 204.7504(b), use the following provision:

Notice of Cybersecurity Maturity Model Certification Level Requirements (NOV 2025)

(a) Definitions. As used in this provision, controlled unclassified information (CUI), current, Cybersecurity Maturity Model Certification (CMMC) status, Cybersecurity Maturity Model Certification unique identifier (CMMC UID), Federal contract information (FCI), and Plan of action and milestones have the meaning given in the Defense Federal Acquisition Regulation Supplement 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements, clause of this solicitation.

(b)(1) Cybersecurity Maturity Model Certification (CMMC) level. The CMMC level required by this solicitation is: ___[Contracting Officer insert: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC)]. This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract.

(2) The Offeror will not be eligible for award of a contract, task order, or delivery order resulting from this solicitation if the Offeror does not have, for each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of a contract resulting from this solicitation—

(i) The current CMMC status entered in the Supplier Performance Risk System (SPRS) (https://piee.eb.mil) at the CMMC level required by paragraph (b)(1) of this provision; and

(ii) A current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS.

(c) Plan of action and milestones. If the Offeror has a CMMC Status of Conditional, the Offeror shall successfully close out a valid plan of action and milestones (32 CFR 170.21) to achieve a CMMC Status of Final.

(d) CMMC unique identifiers. The Offeror shall provide, in the proposal, the CMMC unique identifier(s) (CMMC UIDs) issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of a contract, task order, or delivery order resulting from this solicitation. The Offeror also shall update the list when new CMMC UIDs are generated in SPRS. The CMMC UIDs are provided in SPRS after the Offeror enters the results of self-assessment(s) for each such information system.

(End of provision) [90 FR 43577, Sept. 10, 2025]